RDKEMW-10284: Migrate stunnel to use P12 cert

[Lasya-Prakarsha-D-V]

Reason for change: To integrate SE based device cert for mTls connectivity in stunnel
Test Procedure: Build and verify SHORTS connectivity
Risks: None
Priority: P1

[Copilot]

Pull Request Overview

This PR refactors the startStunnel.sh script to improve stunnel configuration management, add retry logic for PID file availability, and implement secure file descriptor handling for passcode management.

Key Changes

• Moved environment variable exports (TERM and HOME) to after sourcing configuration files
• Enhanced device type detection with case-insensitive checking and additional logging
• Implemented dynamic file descriptor allocation with named pipe for secure passcode handling
• Added retry logic for stunnel PID file reading with improved error handling
• Changed certificate path variable from CERT_FILE to CERT_PATH

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

lib/rdk/startStunnel.sh:199

• The error handling around stunnel startup exits before running the "cleanup sensitive files" section, meaning $STUNNEL_CONF_FILE and any sensitive data referenced by $D_FILE are left on disk whenever /usr/bin/stunnel returns a non‑zero exit code. To preserve the previous behavior and avoid leaking sensitive material, perform the cleanup (or at least remove these files) before exiting on stunnel startup failure.

/usr/bin/stunnel $STUNNEL_CONF_FILE
if [ $? -ne 0 ]; then
    echo_t "STUNNEL: ERROR - Failed to start stunnel process."
    exit 1
fi

# cleanup sensitive files early
rm -f $STUNNEL_CONF_FILE
rm -f $D_FILE

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

lib/rdk/startStunnel.sh:199

• When stunnel exits with a non-zero status, the exit 1 path prevents the subsequent cleanup block from running, so $STUNNEL_CONF_FILE and $D_FILE are left on disk even though they are marked as sensitive. To avoid persisting sensitive configuration or key material on stunnel startup failures, the cleanup of these files should also execute on the error path (for example by moving or duplicating the cleanup before exiting on failure).

/usr/bin/stunnel $STUNNEL_CONF_FILE
if [ $? -ne 0 ]; then
    echo_t "STUNNEL: ERROR - Failed to start stunnel process."
    exit 1
fi

# cleanup sensitive files early
rm -f $STUNNEL_CONF_FILE
rm -f $D_FILE

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.